from /var/log/auth.log
guys, here is the outpput from 20 mins ago from auth.log. i saw this last night. any clues what i'm doing wrong? eg., what is "auxpropfunc"? i've done about as much as i can. spamassassin was not running, etc. i did a reboot so everything should be reinitialized correctly. Sep 26 12:00:34 ethic shutdown: reboot by kline: Sep 26 12:00:36 ethic sshd[978]: Received signal 15; terminating. Sep 26 12:00:51 ethic sm-mta[15391]: sql_select option missing Sep 26 12:00:51 ethic sm-mta[15391]: auxpropfunc error no mechanism available Sep 26 12:02:41 ethic saslauthd[833]: detach_tty : master pid is: 833 Sep 26 12:02:41 ethic saslauthd[833]: ipc_init: listening on socket: /var/run/saslauthd/mux Sep 26 12:02:53 ethic sshd[978]: Server listening on :: port 22. Sep 26 12:02:53 ethic sshd[978]: Server listening on 0.0.0.0 port 22. Sep 26 12:02:54 ethic sm-mta[982]: sql_select option missing Sep 26 12:02:54 ethic sm-mta[982]: auxpropfunc error no mechanism available Sep 26 12:14:46 ethic sshd[1142]: Accepted publickey for kline from 10.47.0.110 port 55753 ssh2 can anybody help me? gsry going for a nap. four hours doesnt cut it no mo' -- Gary Kline Seattle BSD Users' Group (seabug) | kl...@magnesium.net Thought Unlimited Org's Alternate Email Site http://www.magnesium.net/~kline To live is not a necessity; but to live honorably...is a necessity. -Kant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Question about entry in auth.log
--- On Sat, 11/15/08, Jeremy Chadwick <[EMAIL PROTECTED]> wrote: > From: Jeremy Chadwick <[EMAIL PROTECTED]> > Subject: Re: Question about entry in auth.log > To: "Lisa Casey" <[EMAIL PROTECTED]> > Cc: freebsd-questions@freebsd.org > Date: Saturday, November 15, 2008, 2:37 AM > On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: > > The individual in Romania *was not* able to log in as > michael. The > message you saw was sshd saying "Someone's trying > to SSH in as user > michael; SSH key negotiation failed, and now I'm asking > them to type in > their password manually". > > It's not a prank. Shady online individuals have > written scripts/tools > that repetitively beat on sshd, trying to find an account > they can log > in as. They're simply scanning for valid accounts, and > they also often > try many passwords over and over (common things, such as > the username as > a password). > > Welcome to the Internet circa 2008. :( > > "So how do I solve this problem?" > > The easiest way: change sshd to listen on a port *other* > than 22. Many > people pick . This relieves 99% of the pain, but > requires you to > tell your users/co-workers/peers "My box listens on > port for ssh, > not 22". > > A secondary way: programs which monitor logs and add > firewall block > rules when they see too many brute force attempts coming > from an IP > address: > > ports/security/blocksshd > ports/security/sshblock > ports/security/sshguard > (I think I forgot one more, but those are the main three) I've considered writing an sshd patch for OpenSSH to add bad-authentication throttling to it, such that where X number of invalid attempts featuring at least Y different usernames in Z seconds from the same IP causes sshd to ignore that IP outright for a given time. This would prevent syslog spam and not require any third-party applications. I've written a socket abstraction library that supports throttling of this sort internally, and it's actually very easy to implement on its own. Implementing it in OpenSSH may be more or less difficult depending on whether there's any central function that is called *every* time an authentication attempt fails. If a few folks respond saying "I'd sure like that patch!", I would likely become more motivated to do so sooner. - mdh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
Also keep in mind that the user may not have actually logged in and gotten a shell; the message you see can also happen if the individual simply scp'd something (e.g. no shell spawned). but this case there are other messages about scp, not sure if in auth.log or others. i use single file for logs /var/log/messages. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
On Fri, Nov 14, 2008 at 11:37:15PM -0800, Jeremy Chadwick wrote: > On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: > > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever > > been there. I got rid of the michael account (it wasn't used anyway), and > > downloaded a new copy of chkrootkit, installed it and ran it along with > > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless > > enough prank? Anything else I ought to look at? Fortunately the michael > > account did not have te ability to su to root. > > The individual in Romania *was not* able to log in as michael. The Correction: the individual **WAS** able to log in as michael. I missed the part of the message that said "Accepted" at the front. Sorry for confusing you, I've had a very rough week and my brain is not functioning. What Wojciech said is correct -- change the password on the account. Also keep in mind that the user may not have actually logged in and gotten a shell; the message you see can also happen if the individual simply scp'd something (e.g. no shell spawned). -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
Hello, I personally use key authentication along with DenyUsers and AllowUsers directives from sshd. One more thing i do regarding ssh brute force is to make use of the max-src-conn and max-src-conn-rate from pf firewall. My auth logs look like: Nov 14 11:15:36 xxx sshd[3570]: User root from 211.55.48.179 not allowed because not listed in AllowUsers Nov 14 11:15:38 xxx sshd[3572]: Invalid user admin from 211.55.48.179 Nov 14 11:15:41 xxx sshd[3574]: Invalid user test from 211.55.48.179 Nov 14 11:15:44 xxx sshd[3576]: User root from 211.55.48.179 not allowed because not listed in AllowUsers Nov 14 11:15:46 xxx sshd[3578]: Invalid user ghost from 211.55.48.179 Five tries from the above ip and if unsuccessful it gets overloaded in a table and all the states originating from that ip are killed. All the servers i have are web/mail ones, none of them is used for users, so i don't know if this is a good approach but i wrote it to help make an idea about it. a great day, v On Sat, Nov 15, 2008 at 5:00 AM, Lisa Casey <[EMAIL PROTECTED]> wrote: > > > On Fri, 14 Nov 2008, Tom Marchand wrote: > >> Or michael is vacationing in Romania. > > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been > there. I got rid of the michael account (it wasn't used anyway), and > downloaded a new copy of chkrootkit, installed it and ran it along with > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough > prank? Anything else I ought to look at? Fortunately the michael account did > not have te ability to su to root. > > Lisa > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been there. I got rid of the michael account (it wasn't used anyway), and downloaded a new copy of chkrootkit, installed it and ran it along with chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough prank? Anything else I ought to look at? Fortunately the michael account did not have te ability to su to root. it doesn't matter if he/she had, if he/she don't know root password. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for michael from 89.123.165.3 po rt 55185 ssh2 There is a user michael on the system, but whoever was doing this was not him. I am assuming someone tried to break in using a valid username (michael) but with an incorrect password. it was VALID password. he successfully logged change password now, look what the intruder messed and tell michael to be care more about his password next time. if intruder wasn't very smart, he may not deleted .history, look what he/she did. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever > been there. I got rid of the michael account (it wasn't used anyway), and > downloaded a new copy of chkrootkit, installed it and ran it along with > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless > enough prank? Anything else I ought to look at? Fortunately the michael > account did not have te ability to su to root. The individual in Romania *was not* able to log in as michael. The message you saw was sshd saying "Someone's trying to SSH in as user michael; SSH key negotiation failed, and now I'm asking them to type in their password manually". It's not a prank. Shady online individuals have written scripts/tools that repetitively beat on sshd, trying to find an account they can log in as. They're simply scanning for valid accounts, and they also often try many passwords over and over (common things, such as the username as a password). Welcome to the Internet circa 2008. :( "So how do I solve this problem?" The easiest way: change sshd to listen on a port *other* than 22. Many people pick . This relieves 99% of the pain, but requires you to tell your users/co-workers/peers "My box listens on port for ssh, not 22". A secondary way: programs which monitor logs and add firewall block rules when they see too many brute force attempts coming from an IP address: ports/security/blocksshd ports/security/sshblock ports/security/sshguard (I think I forgot one more, but those are the main three) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
On Fri, 14 Nov 2008, Tom Marchand wrote: Or michael is vacationing in Romania. Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been there. I got rid of the michael account (it wasn't used anyway), and downloaded a new copy of chkrootkit, installed it and ran it along with chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough prank? Anything else I ought to look at? Fortunately the michael account did not have te ability to su to root. Lisa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
On Nov 14, 2008, at 8:00 PM, Steven Susbauer wrote: Lisa Casey wrote: Hi, I run several FreeBSD servers. Today I noticed an entry in the auth.log on one of them that concerns me. The entry is this: Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for michael from 89.123.165.3 po rt 55185 ssh2 There is a user michael on the system, but whoever was doing this was not him. I am assuming someone tried to break in using a valid username (michael) but with an incorrect password. So I just conducted an experiment to see if I could replicate that log entry using another valid username: mandy. I ssh'ed into the server, gave mandy as the username with an incorrect password. The auth.log entry for that attempt is this: Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from 72.155.127.223 port 51919 ssh2 and when I used something called keyboard interactive as the primary authentication method in my ssh client, I get this: sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223 Nothing about Accepted keyboard-interactive/pam. What does Accepted keyboard-interactive/pam mean? Also, in my ssh client, for authentication methods I have a choice of password, publickey or keyboard interactive. I've always used password, and never even noticed that keyboard interactive before. What is that? Thanks, Lisa Casey Keyboard-interactive includes when the server sends requests such as "Password:" to which the connector responds by typing their password. This is different from entering the password in your client before connecting. Example: $ ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Try doing similar with the correct password and I bet you will see the "Accepted/keyboard-interactive", it may be possible that michael's password is no longer secure. Or michael is vacationing in Romania. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about entry in auth.log
Lisa Casey wrote: > Hi, > > I run several FreeBSD servers. Today I noticed an entry in the auth.log > on one of them that concerns me. The entry is this: > > Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for > michael from 89.123.165.3 po > rt 55185 ssh2 > > There is a user michael on the system, but whoever was doing this was > not him. > > I am assuming someone tried to break in using a valid username (michael) > but with an incorrect password. So I just conducted an experiment to see > if I could replicate that log entry using another valid username: mandy. > I ssh'ed into the server, gave mandy as the username with an incorrect > password. The auth.log entry for that attempt is this: > > Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from > 72.155.127.223 port 51919 ssh2 > > and when I used something called keyboard interactive as the primary > authentication method in my ssh client, I get this: > > sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223 > > Nothing about Accepted keyboard-interactive/pam. What does Accepted > keyboard-interactive/pam mean? > > Also, in my ssh client, for authentication methods I have a choice of > password, publickey or keyboard interactive. I've always used password, > and never even noticed that keyboard interactive before. What is that? > > Thanks, > > Lisa Casey > Keyboard-interactive includes when the server sends requests such as "Password:" to which the connector responds by typing their password. This is different from entering the password in your client before connecting. Example: $ ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Try doing similar with the correct password and I bet you will see the "Accepted/keyboard-interactive", it may be possible that michael's password is no longer secure. signature.asc Description: OpenPGP digital signature
Question about entry in auth.log
Hi, I run several FreeBSD servers. Today I noticed an entry in the auth.log on one of them that concerns me. The entry is this: Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for michael from 89.123.165.3 po rt 55185 ssh2 There is a user michael on the system, but whoever was doing this was not him. I am assuming someone tried to break in using a valid username (michael) but with an incorrect password. So I just conducted an experiment to see if I could replicate that log entry using another valid username: mandy. I ssh'ed into the server, gave mandy as the username with an incorrect password. The auth.log entry for that attempt is this: Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from 72.155.127.223 port 51919 ssh2 and when I used something called keyboard interactive as the primary authentication method in my ssh client, I get this: sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223 Nothing about Accepted keyboard-interactive/pam. What does Accepted keyboard-interactive/pam mean? Also, in my ssh client, for authentication methods I have a choice of password, publickey or keyboard interactive. I've always used password, and never even noticed that keyboard interactive before. What is that? Thanks, Lisa Casey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: auth.log & intruder prevention
What is happening to you is not unique. There are 4 common solutions to this problem. 1. The simplest is to add a deny rule to your firewall for the offending ip address. 2. Use the "routed blackhole" command. Example: To Add use route add -host attacker_ip 127.0.0.1 -blackhole To Delete use route delete -host attacker_ip 127.0.0.1 -blackhole To List use netstat -nr|grep 127 This is executed in the IP stack and is faster than in the firewall when you have over 20 of those special "deny this IP address" rules in the firewall. The "attacker_ip" in found in the log records in /var/log/auth.log file. You can create a script (route_blackholed_ip.sh) containing route commands for all the IP address that have attacked you in the past and save it to /usr/local/etc/rc.d/ so it will be run at boot time. *** note ** The problem using either of the above methods is the attacker may just use a different ip address in the same range. Depending on where your authorized traffic is coming from you can deny or blackhole the complete subnet. Even the whole xxx..0.0.0 by coding the ip address with /xx after it. *** note end ** 3. If you know the ip address of your authorized ssh users then add rules to your file wall to pass just those authorized ip address to port 22 and deny all else. 4. All of the about solutions will not stop the flow of traffic to port 22 driving up your bandwidth usage, just stop it from getting to ssh which is all ready doing a fine job of stopping it now. The only way to reduce the unauthorized traffic to your port 22 is not to have port 22 open. In the ssh logon command you can enter the port number you have ssh using. So change the port ssh uses and the scrip kiddies will not be able to find your ssh access port. You can change the port ssh is listening on by editing the ssh entry in /etc/services to some high number port of your choosing and then have all your ssh users include that port number in there remote login command. Allow that port number to pass in your firewall and deny port 22. This way the attackers will not see ssh port open and not waist time on you any longer. ** to get revenge on your attackers * Attackers who beat on ssh/telnet/ftp are looking to break into your box so they have to be using there real ip address to receive the response when they succeed. (ie not using spoofed ip address) If you use the ipfilter firewall you can use the FreeBSD port ppars-1.0 to read the log file and auto generate an email to the isp owner of the ip address range the attacker is using. Most ISP's around the world have usage user agreements that this attacking behavior is not allowed. In most cases the ISP will terminate the attackers account. In time your ip address will become know as place not to probe and your bandwidth usage will decline. The install guide at www.a1poweruser.com (section 6.13 Defending Against Attacks) has a more detailed explanation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Hamilton Sent: Wednesday, January 25, 2006 10:05 PM To: 'Daniel Gerzo'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: auth.log & intruder prevention Hi Daniel, On your web site, you show how easy it is to convert to IPTABLES. I presume then it would be quite easy to reconfigure to use IPFW as well? Cheers, Paul > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gerzo > Sent: Wednesday, 25 January 2006 7:58 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: auth.log & intruder prevention > > > On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote: > > Hi Everyone, > > hello, > > > > > In auth.log of my FreeBSD boxes I got many requests to port > 22, as you > > can see below. begin of snippet > > Jan 22 11:21:50 zeus sshd[92900]: Failed password for > illegal user cracking > > from 65.208.188.105 port 58344 ssh2 > > Jan 22 11:21:53 zeus sshd[92902]: Failed password for > illegal user hacking > > from 65.208.188.105 port 58443 ssh2 > > end of snippet > > > > I am wondering if any script is available to prevent hundreds of > > attempts on port 22 from external IPs that constantly > checking user & > > passwords on my FreeBSD PCs. > > > > What I am looking for is a deamon application/script that > receives the > > recorded data from auth.log and detects if any remote client (IP > > address) is checking user and passwords (Detection pattern: > 5 missing > > attempts in 1 min). On a successful detection, the script > should add > > an ipfw rule rejecting further IP packets from the specific remote > > address.
RE: auth.log & intruder prevention
Hi Daniel, On your web site, you show how easy it is to convert to IPTABLES. I presume then it would be quite easy to reconfigure to use IPFW as well? Cheers, Paul > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gerzo > Sent: Wednesday, 25 January 2006 7:58 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: auth.log & intruder prevention > > > On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote: > > Hi Everyone, > > hello, > > > > > In auth.log of my FreeBSD boxes I got many requests to port > 22, as you > > can see below. begin of snippet > > Jan 22 11:21:50 zeus sshd[92900]: Failed password for > illegal user cracking > > from 65.208.188.105 port 58344 ssh2 > > Jan 22 11:21:53 zeus sshd[92902]: Failed password for > illegal user hacking > > from 65.208.188.105 port 58443 ssh2 > > end of snippet > > > > I am wondering if any script is available to prevent hundreds of > > attempts on port 22 from external IPs that constantly > checking user & > > passwords on my FreeBSD PCs. > > > > What I am looking for is a deamon application/script that > receives the > > recorded data from auth.log and detects if any remote client (IP > > address) is checking user and passwords (Detection pattern: > 5 missing > > attempts in 1 min). On a successful detection, the script > should add > > an ipfw rule rejecting further IP packets from the specific remote > > address. > > > > Is any script or something similar available so far? > > I've written a BruteForceBlocer, you can install it from > ports as well, check security/bruteforceblocker. > > Hope you will like it. > > -- > Sincerely, >Daniel Gerzo > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
thread hijacking, was: auth.log & intruder prevention
On 24/01/06 Ilias Sachpazidis said: > Hi Everyone, > > In auth.log of my FreeBSD boxes I got many requests to port 22, as you can > see below. It's considered poor mailing list ettiquette to hijack a thread. Please start a new post instead. Some of us are using threaded mail readers. Thanks, Mike -- Michael P. Soulier <[EMAIL PROTECTED]> "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." --Albert Einstein pgpdju6GjzkeB.pgp Description: PGP signature
RE: auth.log & intruder prevention
Thanks Daniel, I was about to develop a perl script. It, however, seems that bruteforceblocker does what I was looking for. Thanks again, Ilias -Original Message- From: Daniel Gerzo [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. Januar 2006 00:58 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: auth.log & intruder prevention On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote: > Hi Everyone, hello, > > In auth.log of my FreeBSD boxes I got many requests to port 22, as you can > see below. > begin of snippet > Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking > from 65.208.188.105 port 58344 ssh2 > Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking > from 65.208.188.105 port 58443 ssh2 > end of snippet > > I am wondering if any script is available to prevent hundreds of attempts on > port 22 from external IPs that constantly checking user & passwords on my > FreeBSD PCs. > > What I am looking for is a deamon application/script that receives the > recorded data from auth.log and detects if any remote client (IP address) is > checking user and passwords (Detection pattern: 5 missing attempts in 1 > min). On a successful detection, the script should add an ipfw rule > rejecting further IP packets from the specific remote address. > > Is any script or something similar available so far? I've written a BruteForceBlocer, you can install it from ports as well, check security/bruteforceblocker. Hope you will like it. -- Sincerely, Daniel Gerzo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: auth.log & intruder prevention
On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote: > Hi Everyone, hello, > > In auth.log of my FreeBSD boxes I got many requests to port 22, as you can > see below. > begin of snippet > Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking > from 65.208.188.105 port 58344 ssh2 > Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking > from 65.208.188.105 port 58443 ssh2 > end of snippet > > I am wondering if any script is available to prevent hundreds of attempts on > port 22 from external IPs that constantly checking user & passwords on my > FreeBSD PCs. > > What I am looking for is a deamon application/script that receives the > recorded data from auth.log and detects if any remote client (IP address) is > checking user and passwords (Detection pattern: 5 missing attempts in 1 > min). On a successful detection, the script should add an ipfw rule > rejecting further IP packets from the specific remote address. > > Is any script or something similar available so far? I've written a BruteForceBlocer, you can install it from ports as well, check security/bruteforceblocker. Hope you will like it. -- Sincerely, Daniel Gerzo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: auth.log & intruder prevention
We are talking about a few users and nobody has a permanent IP. -IS -Original Message- From: Dan O'Connor [mailto:[EMAIL PROTECTED] Sent: Dienstag, 24. Januar 2006 22:29 To: [EMAIL PROTECTED] Subject: Re: auth.log & intruder prevention > I am wondering if any script is available to prevent hundreds of > attempts on > port 22 from external IPs that constantly checking user & passwords on > my > FreeBSD PCs. I can't help you with a greylist solution, but how many users do you have that ssh in from the outside? If you don't have too many, and they come from stable IP addresses, you could always set up firewall rules to allow specific connections and block other attempts to connect to port 22: # My Trusted SSH Sites dan="123.45.67.89" jim="234.56.78.90" . . . # SSH Login - Allow only trusted incoming on outside interface ${fwcmd} add pass log tcp from ${dan} to any 22 in via ${oif} setup ${fwcmd} add pass log tcp from ${jim} to any 22 in via ${oif} setup . . . ${fwcmd} add deny log tcp from any to any 22 in via ${oif} setup ~Dan -- FreeBSD Cheat Sheets http://www.mostgraveconcern.com/freebsd/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
auth.log & intruder prevention
Hi Everyone, In auth.log of my FreeBSD boxes I got many requests to port 22, as you can see below. begin of snippet Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking from 65.208.188.105 port 58344 ssh2 Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking from 65.208.188.105 port 58443 ssh2 Jan 22 11:21:55 zeus sshd[92904]: Failed password for illegal user lol from 65.208.188.105 port 58543 ssh2 Jan 22 11:21:57 zeus sshd[92906]: Failed password for illegal user pgl from 65.208.188.105 port 58640 ssh2 Jan 22 11:22:00 zeus sshd[92908]: Failed password for illegal user player from 65.208.188.105 port 58741 ssh2 Jan 22 11:22:02 zeus sshd[92910]: Failed password for illegal user root4me from 65.208.188.105 port 58842 ssh2 end of snippet I am wondering if any script is available to prevent hundreds of attempts on port 22 from external IPs that constantly checking user & passwords on my FreeBSD PCs. What I am looking for is a deamon application/script that receives the recorded data from auth.log and detects if any remote client (IP address) is checking user and passwords (Detection pattern: 5 missing attempts in 1 min). On a successful detection, the script should add an ipfw rule rejecting further IP packets from the specific remote address. Is any script or something similar available so far? All the best, Ilias ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Auth.log date issue?
On Wed, 9 Mar 2005, Mark wrote: Which is curious, as the IP address no longer has a machine on it. Then I checked, and after a while I suddenly noticed /var/log/auth.log was dated March 8, 2004! Apparently, the security script just checks the date, but not the year? Is it supposed to work this way? It gave me a good scare, all for nothing. :) The exact same thing happened to me a few months ago. I think the script is written with the assumption that the auth.log will be rotated at least once a year; but if you don't have a lot of authorization activity, it can easily go beyond that without rotating, because the default for newsyslog.conf is to only rotate auth.log when it gets beyond a certain size. Just add a time for auth.log to rotate, and this will go away. (rotates auth.log once a month) /var/log/auth.log 600 7 256 $M1D0 Z -- David Fleck [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
strange things in my /var/log/auth.log
Hello list, when I do that: cat /var/log/auth.log | grep listening I got this: Mar 3 14:23:21 mail sshd[380]: Server listening on :: port 22. Mar 3 14:23:21 mail sshd[380]: Server listening on 0.0.0.0 port 22. Mar 3 17:01:51 mail sshd[2364]: Server listening on :: port 22. Mar 3 17:01:51 mail sshd[2364]: Server listening on 0.0.0.0 port 22. Mar 3 17:11:15 mail sshd[406]: Server listening on :: port 22. Mar 3 17:11:15 mail sshd[406]: Server listening on 0.0.0.0 port 22. Mar 9 12:51:47 mail sshd[408]: Server listening on :: port 22. Mar 9 12:51:47 mail sshd[408]: Server listening on 0.0.0.0 port 22. Mar 9 13:19:28 mail sshd[407]: Server listening on :: port 22. Mar 9 13:19:28 mail sshd[407]: Server listening on 0.0.0.0 port 22. These messages are only two times appeared in the last nonstop-run of my mashine over one week... Is this normal, I don't think so? I have to say that somebody tried in the last week several times to login per ssh, but didn't had success because I have a good password I think... With regards Stevan Tiefert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Auth.log date issue?
Running FreeBSD 4.10, today I saw this in my log: asarian-host.net login failures: Mar 8 22:11:20 asarian-host sshd[32810]: Failed password for asarian from 192.168.0.8 port 3535 ssh2 Mar 8 22:11:36 asarian-host sshd[32812]: Failed password for asarian from 192.168.0.8 port 3536 ssh2 Mar 8 22:11:39 asarian-host sshd[32814]: Failed password for asarian from 192.168.0.8 port 3537 ssh2 Which is curious, as the IP address no longer has a machine on it. Then I checked, and after a while I suddenly noticed /var/log/auth.log was dated March 8, 2004! Apparently, the security script just checks the date, but not the year? Is it supposed to work this way? It gave me a good scare, all for nothing. :) Thanks, - Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Auth.log and Cyrus SASL
Hey all, The email from Mr. Gerhardt prompted me to take a look at auth.log, and I noticed a couple things that concerned me. I just set Cyrus-SASL up, and I see these entries in my auth.log file: Jun 28 18:31:48 grog saslauthd[187]: START: saslauthd 1.5.28 Jun 28 18:31:48 grog saslauthd[194]: daemon started, listening on /var/state/saslauthd1/mux Jun 29 21:59:05 grog saslauthd[194]: Caught signal 15. Cleaning up and terminating. Jun 29 22:00:30 grog saslpasswd: failed to set plaintext secret for cyrus: generic failure Jun 29 22:00:30 grog saslpasswd: failed to set APOP secret for cyrus: generic failure Jun 29 22:00:30 grog saslpasswd: PLAIN: failed to set secret for cyrus: generic failure Jun 29 22:00:30 grog saslpasswd: DIGEST-MD5: set secret for cyrus Jun 29 22:00:30 grog saslpasswd: CRAM-MD5: set secret for cyrus Jun 29 22:00:30 grog saslpasswd: failed to disable account for cyrus: user not found Jun 29 22:00:30 grog saslpasswd: failed to disable APOP account for cyrus: user not found Jun 29 22:00:30 grog saslpasswd: PLAIN: failed to set secret for cyrus: user not found Jun 29 22:00:30 grog saslpasswd: DIGEST-MD5: set secret for cyrus Jun 29 22:00:30 grog saslpasswd: CRAM-MD5: set secret for cyrus Jun 29 22:05:14 grog saslauthd[14304]: START: saslauthd 1.5.28 Jun 29 22:05:14 grog saslauthd[14309]: daemon started, listening on /var/state/saslauthd1/mux Any idea what these mean, and how I can go about fixing them? Thanks. Found on Conan O'Brian: Children's books written by celebrities; By Mel Gibson: Jesus Christ and the Terrible, Horrible, No Good, Very Bad Day. - Keep your powder dry and your pecker hard and the world WILL turn. - Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Auth.log
I'm running FreeBSD 4.7 and I noticed that /var/log/auth.log does not include year () in the log entries. My daily cron jobs recently sent notice that there were some failed login attempts on July 3 to an account that was removed many months ago. This raised concern, so I did a thorough check and determined that the failed login attempt occurred July 03 of 2003, _not_ 2004. Shouldn't auth.log include the full -MM-DD date to avoid confusion in case auth.log doesn't rotate between years? This should apply to all logs, especially security related logs... Thanks, -- Scott A. Gerhardt, P.Geo. Gerhardt Information Technologies ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: auth.log
Mark <[EMAIL PROTECTED]> writes: > Is this a stuck key or an attack?? Looks like a stuck key to me. It's on the console, so if it was an attack, you'd've seen the attacker. -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
auth.log
Is this a stuck key or an attack?? Dec 14 19:23:34 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:23:34 boxs login: 2 LOGIN FAILURES ON ttyv6, ^[[A^[[G^[[B^[[G^[[G^[ Dec 14 19:23:35 boxs login: 2 LOGIN FAILURES ON ttyv7 Dec 14 19:23:35 boxs login: 2 LOGIN FAILURES ON ttyv7, ^[[G^[[G Dec 14 19:23:45 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:23:45 boxs login: 2 LOGIN FAILURES ON ttyv6, ^[[A^[[G^[[G^[[G^[[G Dec 14 19:23:46 boxs login: 2 LOGIN FAILURES ON ttyv7 Dec 14 19:23:46 boxs login: 2 LOGIN FAILURES ON ttyv7, ^[[G^[[G Dec 14 19:24:35 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:24:35 boxs login: 2 LOGIN FAILURES ON ttyv6, ^[[G Dec 14 19:26:05 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:26:05 boxs login: 2 LOGIN FAILURES ON ttyv6, ^[[G Dec 14 19:27:06 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:27:06 boxs login: 2 LOGIN FAILURES ON ttyv6, ^[[G^[[G^[[G^[[B^[[G Dec 14 19:27:11 boxs login: 6 LOGIN FAILURES ON ttyv7 Dec 14 19:27:11 boxs login: 6 LOGIN FAILURES ON ttyv7, ^[[G^[[G Dec 14 19:27:17 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:27:17 boxs login: 2 LOGIN FAILURES ON ttyv6, ^[[G^[[G^[[G^[[G Dec 14 19:27:24 boxs login: 2 LOGIN FAILURES ON ttyv7 Dec 14 19:27:24 boxs login: 2 LOGIN FAILURES ON ttyv7, ^[[G7^[[G Dec 14 19:27:28 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:27:28 boxs login: 2 LOGIN FAILURES ON ttyv6, ^N^[[G^E^[[G^[[G^[[G Dec 14 19:27:35 boxs login: 2 LOGIN FAILURES ON ttyv7 Dec 14 19:27:35 boxs login: 2 LOGIN FAILURES ON ttyv7, ^N^[[G^E^[[G Dec 14 19:28:19 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:28:19 boxs login: 2 LOGIN FAILURES ON ttyv6, ^[[G Dec 14 19:29:49 boxs login: 2 LOGIN FAILURES ON ttyv6 Dec 14 19:29:49 boxs login: 2 LOGIN FAILURES ON ttyv6, ^[[G^[[G^[[G^[[G The motherboard beeper was sounding like morse code during this, but the box has performed without flaw after a reboot. fbsd 5.1 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"